A Lunchtime Musing: Managing Risk

userpic=cardboard-safeIf you hadn’t figured it out by now, I work professionally in the field of cybersecurity. One of the concerns in my field is the question of risk: how to manage it, how much is tolerable for an organization, what can be done to mitigate it. All of the cybersecurity techniques you know are related to the question: virus scanner mitigate the risk of malware; passwords mitigate the risk of unauthorized users; firewalls mitigate the risk of unauthorized systems accessing a network, and so forth.

I’ve been thinking a lot about risk in the aftermath of the tragedy in Orlando, and in particular about the reactions of our presumptive leaders, as well as the initiatives that always start after an event like this. Naturally, I see them all dealing with risk in some ways, and in someways misunderstanding risk.

Donald Trump has blinders on with respect to risk. He clearly sees risk — a lot of risk — in immigrants and terrorists, but is blind to the risk of home-grown terrorism, or risk that comes from easy access to assault weapons. Further, his approach to the risk he sees is to be clearly risk adverse. He has a low risk tolerance, and wants to (if possible) eliminate the risk through closing down immigration and building walls. His approach is impractical and costly, as experience has shown.

Hillary Clinton understands that the risk will be present, and wants to reduce it (understanding that it cannot be eliminated). This is where the call for restricting selected gun sales based on findings from background investigations, and calls for restricting the types of weapons come from. They will not eliminate all the possible terrorist actions on American soil, but they will serve to reduce the risk of those actions.

The mass populace also has difficult understanding the difference between risk mitigation and risk avoidance. There are segments who believe that all guns should be banned. Those folks have blinders on regarding risks: banning guns will not eliminate all gun risk (for there is still the criminal element), but it also ignores non-gun attacks. There are some who believe the more moderated approach of increasing the difficulty to get attack weapons is pointless if attacks are still possible. They are the type that are risk averse, and fail to see the benefit that comes from reducing risk.

With respect to terrorist attacks and home-grown gun attacks, we need to understand that we cannot eliminate them completely. The potential is already there, with existing weapons and the free-flow of ideas that our society permits. That is a risk we must accept. What we can — and must — do, is reduce the risk where we can: this means reducing the ability to buy and sell weaponry that can create massive casualties, increasing our ability to be resilient in the face of attack, and aggressively going after home-grown terrorism and terrorist cells (within our existing legal framework), with increased monitoring of those identified as being sympathetic or involved with those homegrown causes (again, while still remaining in our legal system with respect to monitoring and the rights of US citizens).